hexena – Haskell EXEcutable aNAlyser

This project is a collection of tools to examine executables/malware. The will more or less work in concert with each other moving your analysis through a workflow. The next stage is to seperate the heart of hexena into library functions. The thought is to keep the library ‘Haskellized’ at least for the moment. Documentation is admittingly loose for now; however, that is mostly because the interfaces for the library haven’t been formalized yet. The final stage will be an integrated environment for the analysis of malware.
Malware is saved in a “.hexena” file which actually is an IFF file (see . I do not feel comfortable with bare executables laying on my harddisk therefore they are encapsulated in a file so that they could not be executed (if somebody is working on a win machine) directly and virus scanners to run haywire.
The IFF format has a lot of advantages, see http://www.ibm.com/developerworks/power/library/pa-spec16/?ca=dgr-lnxw07IFF.Chunks
The file format is not standardized yet, so please beware! All data is stored in a FROM.MALW file.
Currently known chunks:

  • MWHD: malware header with size of file and compression used
  • BODY: the malware, may be compressed
  • FORM.HIST: histogram information
  • PEHD: PE header information
  • ANNO: annotation (this is a standard iff chunk)
  • FORM.HASH: hashes of this file (for identification)

Download : hexena-0.1.1.tar.gz (53.4 KB)
Find Other Version |
Read more in Here : http://code.google.com/p/hexena/